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The majority of fatal aircraft accidents are associated with ‘loss- of- control’. Yet the 
notion of loss-of-control is not well-defined in terms suitable for rigorous control systems 
analysis. Loss-of-control is generally associated with flight outside of the normal flight 
envelope, with nonlinear influences, and with an inability of the pilot to control the aircraft. 
The two primary sources of nonlinearity are the intrinsic nonlinear dynamics of the aircraft 
and the state and control constraints within which the aircraft must operate. In this paper 
we examine how these nonlinearities affect the ability to control the aircraft and how they 
may contribute to loss-of-control. Examples are provided using NASA’s Generic Transport 
Model. 
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x State vector 

y Measurements 

z Regulated variables 

(i Bifurcation parameter 

u Control inputs 

a Angle of attack, rad 

/ 3 Side slip angle, rad 

V Velocity, ft/s 

X x inertial coordinate, ft 

Y y inertial coordinate, ft 

Z z inertial coordinate, ft 

p x body- axis angular velocity component, rad 

q y body- axis angular velocity component, rad 

r z body-axis angular velocity component, rad 

u x body-axis translational velocity component, ft/s 

v y body-axis translational velocity component, ft/s 

w z body-axis translational velocity component, ft/s 

0 Euler roll angle, rad 

6 Euler pitch angle, rad 

0 Euler yaw angle, rad 

Heading, rad 

7 Flight path angle, rad 
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A System matrix of a linear system 

B Control matrix of a linear system 

C Output matrix of a linear system 

J Jacobian matrix of a multivariable vector function 

A, v Eigenvalue and eigenvector of the Jacobian matrix J 

T Thrust, lb 

S e elevator input, rad 

5 a Aileron input, rad 

5 r Rudder input, rad 

C envelope 

<S safe set 


I. Introduction 

R ecent published data shows that during the ten year period 1997-2006, 59% of fatal aircraft accidents 
were associated with Loss- of- Control (LOC). 1 Yet the notion of loss-of-control is not well-defined in 
terms suitable for rigorous control systems analysis. The importance of LOC is emphasized in 2 where the 
inadequacy of current definitions is also noted. On the other hand, flight trajectories have been successfully 
analyzed in terms of a set of five two-parameter envelopes to classify aircraft incidents as LOC. 3 As noted 
in that work, LOC is ordinarily associated with flight outside of the normal flight envelope, with nonlinear 
behaviors, and with an inability of the pilot to control the aircraft. These results provide a means for 
analyzing accident data to establish whether or not the accident should be classified as LOC. Moreover, they 
help identify when the initial upset occurred, and when control was lost. The analysis also suggests which 
variables were involved, thereby providing clues as to the underlying mechanism of upset. However, it does 
not provide direct links to the flight mechanics of the aircraft, so it cannot be used proactively to identify 
weaknesses or limitations in the aircraft or its control systems. Moreover, it does not explain how departures 
from controlled flight occur. In particular, we would like to know how environmental conditions (like icing) 
or faults (like a jammed surface or structural damage) impact the vulnerability of the aircraft to LOC. 

LOC is essentially connected to the nonlinearity of the flight control problem. Nonlinearity arises in two 
ways: 1) the intrinsic nonlinearity of the aircraft dynamics, and 2) through state and control constraints. In 
this paper we consider control issues that arise from both sources. 

First, we examine the implications of the nonlinear aircraft dynamics. Bifurcation analysis is used to 
study aircraft control properties and how they change with the flight condition and parameters of the aircraft. 
The paper extends results previously introduced by the authors in. 4,5 There we showed that the ability to 
regulate a system was lost at points associated with bifurcation of the trim equations; ordinarily indicating 
stall in an aircraft. Such a bifurcation point is always associated with a degeneracy of the zero structure of 
the system linearization at the bifurcation point. Such degeneracies include loss of (linear) controllability 
or observability, redundant controls (rank degeneracy of the B matrix) and/or redundant outputs (rank 
degeneracy of the C matrix). As such points are approached, the ability to regulate degrades so that the 
performance of the regulator (or pilot) may deteriorate before the bifurcation point is actually reached. The 
equilibrium surface or set of trim conditions is a submanifold of the state-parameter space that is divided 
into open sets by the bifurcation points. Within each region a linear regulator can be designed. However, a 
regulator designed in one region will fail if applied in a neighboring region. 6 

Second, we consider how state and control constraints relate to LOC. Recall that the Commercial Aircraft 
Safety Team (CAST) defines in-flight LOC as a significant deviation of the aircraft from the intended flight 
path or operational envelope. 7 The flight envelope represents a set of state constraints, so we consider the 
control issues associated with preventing departure from the constraint set. To do so, we use the notion of 
a safe set 8 or viable set. 9 Suppose an acceptable operating envelope is specified as a domain C in the state 
space. The safe set <S is the largest positively control-invariant set contained in C. Consequently, for any 
initial state in <S there exists a control that keeps the trajectory within S. On the other hand for an initial 
state in C but not in <S, there is no admissible control that will keep the trajectory in C, the acceptable 
region. Thus, transitions out of <S will require a restoration control that necessarily includes some period of 
time outside of C. 

This paper will discuss LOC in terms of controllability /observability, bifurcation analysis, and safe sets 
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analysis. The inter-relationships between these attributes and their relationship to aircraft LOC will be 
discussed. Investigating LOC requires the use of aircraft dynamical models that are accurate outside of the 
normal flight envelope. In particular it is necessary to characterize post stall and spin behaviors that are 
often associated with LOC events. Until recently, such models were not available for large transport aircraft. 
Recent and ongoing work at the NASA Langley Research Center has focused on building aerodynamic models 
adequate for simulation and analysis in these regimes. 10, 11 A central element in this effort is NASA’s Generic 
Transport Model (GTM) 12 - a 5.5 % dynamically scaled commercial transport model. The GTM will be 
used to provide analysis examples. 

In Section II we provide a short discussion of the LOC problem and in Section III we briefly describe 
the Generic Transport Model (GTM). Section IV addresses the bifurcation analysis of controlled dynamical 
systems. Among other things we specifically address control issues that arise near stall. We illustrate 
uncontrolled departures of the GTM near stall and give some first illustrations of recovery from post departure 
states. In Section V we consider difficulties associated with remaining within a specified flight envelope when 
control authority is limited. Finally, in Section VI we summarize our results. 

II. The Loss-of- Control Problem 

Although the majority of fatal aircraft crashes over the past decade or so have been attributed to LOC, 
its meaning is ambiguous. Generally, a pilot will report LOC if the aircraft does not respond as expected. 
Consequently, pilot experience can be a major variable in assessing LOC. What LOC is to one pilot may not be 
to another. Recently, Wilborn and Foster 3 * have proposed quantitative measures of LOC. These Quantitative 
Loss-of- Control (QLC) metrics consist of envelopes defined in two dimensional parameter spaces. Based on 
the analysis of 24 data sets compiled by the Commercial Aircraft Safety Team (CAST) Joint Safety Analysis 
Team (JSAT) for LOC 7 five envelopes have been defined: 

1. Adverse Aerodynamics Envelope: (normalized) angle of attack vs. sideslip angle 

2. Unusual Attitude Envelope: bank angle vs. pitch angle 

3. Structural Integrity Envelope: normal load factor vs. normalized air speed 

4. Dynamic Pitch Control Envelope: dynamic pitch attitude ( 0 + 0 At) vs. % pitch control command 

5. Dynamic Roll Control Envelope: dynamic roll attitude (0 + 0 A t) vs. % lateral control command 

The authors provide a compelling discussion of why these envelopes are appropriate and useful. Flight 
trajectories from the 24 CAST data sets are plotted and the authors conclude maneuvers that exceed three 
or more envelopes can be classified as LOC, those that exceed two are borderline LOC and normal maneuvers 
rarely exceed one. According to Ref. 3, the precipitating events of the CAST LOC incidents were: stalls 
(45.8%), sideslip-induced rolls (25.0%), rolls from other causes (12.5%), pilot-induced oscillation (12.5%) , 
and yaw (4.2%). 

These results are important. They provide a means for analyzing accident data to establish whether or 
not the accident should be classified as LOC. Moreover, they help identify when the initial upset occurred, 
when control was lost and suggests which variables were involved. However, because the approach does not 
directly connect to the flight mechanics of the aircraft, it does not identify weaknesses or limitations in the 
aircraft or its control systems. Moreover, it does not explain how departures from controlled flight occur. In 
particular, we would like to know how environmental conditions or actuator failures or structural damage 
impact the vulnerability of the aircraft to LOC. To do this we need a formal analytical definition of LOC. 

Another important study 2 reviews 74 transport LOC accidents in the fifteen year period 1993-2007. 
Of these the major underlying causes of LOC are identified as stalls, ice contaminated airfoils, spatial 
disorientation, and faulty recovery technique. 

An aircraft must typically operate in multiple modes that have significantly different dynamics and 
control characteristics. For example, cruise and landing configurations. Within each mode there may be 
some parametric variation, such as weight or center of mass location, that also affects aircraft behavior. 
Each mode has associated with it a flight envelope restricting speed, attitude and other flight variables. 
Under normal conditions keeping within the flight envelope provides sufficient maneuverability to perform 
the mode mission while insuring structural integrity of the vehicle for all admissible parameter variations and 
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all anticipated disturbances. Abnormal conditions, e.g., icing, faults or damage, will alter aircraft dynamics 
and may require the definition of a new mode with its own flight envelope. 

Ordinarily a flight envelope can be considered a convex polyhedral set, not necessarily bounded, in the 
state space. Thus, the aircraft needs to operate within the state constraints imposed by the envelope. 
Insuring that an aircraft remains within its flight envelope is called envelope protection. Envelope protection 
is generally the responsibility of the pilot although there is an increasing interest in and use of automatic 
protection systems. 13-16 

Because the controls themselves as well as the states are constrained, the question of whether it is even 
possible to keep the aircraft within the envelope is not trivial. Questions like this have been considered in 
the control literature. 8, 9,1 7-20 In Section V below we discuss the problem of identifying the largest set within 
a prescribed envelope which can be made positively invariant and of characterizing the control strategy 
necessary to do so. This set will be called the safe set. It is possible to be inside of the envelope and yet 
outside of the safe set. In which case it is impossible, no matter how clever the pilot or the control system, 
to keep the aircraft within its flight envelope. In a strict sense departure from the safe set implies LOC. It 
may, of course, be possible to employ a recovery strategy to restore the system to the safe set. So an aircraft 
may be out of control and yet recoverable. 

Besides the control bounds, other restrictions may be placed on the admissible controls that could further 
restrict the safe set. For instance, we could require that only smooth feedback controls be employed. These 
and related issues will be discussed below. 

The prevalence of stalls in out of control incidents suggests the importance of bifurcation behavior as a 
factor in LOC. We discuss this further in Section IV. 

III. The Generic Transport Model 

In the subsequent discussion we will frequently provide examples based on NASA’s Generic Transport 
Model (GTM). Data obtained from NASA have been used to develop symbolic and simulation models. 
Nonlinear symbolic models are used to perform bifurcation analysis and nonlinear control analysis and 
design. Linear Parameter Varying (LPV) models are derived from the nonlinear symbolic model and are 
used to study the variation in the structure of the linear system controllability properties around bifurcation 
points. Simulation models are also automatically assembled from the symbolic model in the form of optimized 
C-code that compiles as a MEX file for use as an S-function in Simulink. 

The six degrees of freedom aircraft model has 12 or 13 states depending on whether we use Euler angles 
or quaternions. In the Euler angle case the state is given by x = [0, 0, 0, X, Y, Z , p, g, r, u, v, w] T . There are 4 
control inputs, given by u = [T, S e , 5 a , 5 r ] T . The controls are limited as follows: thrust 0 < T < 35.4372 Z6/, 
elevator —40° < S e < 20°, aileron —20° < S e < 20°, and rudder —30° < S e < 30°. Velocity is in ft/s. The 
state space representation of the model is 

x = f(x,u,n) 

where the vector ji consists of certain distinguished parameters of the aircraft such as mass or center of mass 
location. 

Aerodynamic models were obtained from NASA. They are based on data obtained with a 5.5 % scale 
model in the NASA Langley 14 ft x 22 ft wind tunnel as described in. 11 Aerodynamic force and moment 
coefficients are generated using a multivariate orthogonal function method as described in. 21 ’ 22 In the original 
NASA model several regions of angle of attack were used to capture severe nonlinearity. These models were 
blended using Gaussian weighting. For simplicity we use only one of the models for the analysis herein. 

IV. Bifurcation Analysis of Control Systems 

Departures from controlled flight like stall and spin have concerned aircraft engineers from the earliest 
days of flight. In recent years departure has been analyzed by using a combination of simulation and flight 
test (with manned aircraft or scale models - see, for example, the informative report 23 ). An example, that 
may be considered ’state-of-the-art’ for studies of this type concerns the falling leaf and related behaviors 
of the F- 18. 24-26 Only in the past two decades have formal methods of bifurcation analysis been applied to 
aircraft. 4, 27-36 Bifurcation analysis has been employed to identify the conditions for occurrence of undesirable 
behaviors, to investigate recovery methods from dangerous post bifurcation modes and to formulate feedback 
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control systems that modify bifurcation behavior. 

In this paper we consider the regulation of aircraft to a desired trim condition. In general the equations 
of motion of a rigid aircraft involve six degrees of freedom involving the six coordinates 0, 6 , ip, X , Y, Z and 
six (quasi-) velocities p , q , r, u , v , w. In the study of steady motions it is usual to ignore the inertial location 
(X, Y, Z) and consider only the velocities and attitude of the vehicle. The reduced dynamics comprise a 
nine dimensional system of state equation that are nonlinear and may be parameter dependent. We are 
concerned with steady motions that can be defined in terms of these variables. In particular, these motions 
are trajectories in the inertial (X, Y, Z ) space, that can be associated with equilibria of the nine state system. 
We would like to know whether or not it is possible to regulate to and steer along these motions. Thus, we 
are naturally lead to the study of the existence and stabilizability of equilibria. 


A. Control issues at stall 

Consider a parameter dependent, nonlinear control system given by 

x = f(x,u,p) 

z = h{x,n) (1) 


where x £ R n are the states, u £ R p are the control inputs, z £ R r are the regulated variables and (i £ R 
is any parameter. We assume that /, h are smooth (sufficiently differentiable). The parameter could be a 
physical variable like the weight of the aircraft or the center of gravity location; or a regulated variable like 
velocity, flight path angle, altitude or roll angle; or the position of a stuck control surface. The regulator 
problem is solvable only if p > r. Since the number of controls can always be reduced we henceforth assume 
p = r. 

A triple (x*,u*,p*) is an equilibrium point (or trim point) of (1) if 


F(x*,u*,n*) 


( f(x*,u*,p*) 
\ h(x*,p*) 


= 0 


( 2 ) 


The equilibrium surface is the set £ = {(x, u, p) e ppi+m+k |_p u, //) = 0 }. 

Definition 4.1 * An equilibrium point (x*,u*,p*) is regular if there is a neighborhood of p* on which there 
exist unique, continuously differentiable functions x{p), u(p) satisfying 


F(x(fj,),u(p,),p) = 0 


( 3 ) 


If an equilibrium point is not a regular point it is a static bifurcation point. The Implicit Function Theorem 
implies that an equilibrium point is a bifurcation point only if det J = 0. The Jacobian J is given by 


J = [D x F(x*, u*, fj,*) D u F(x*, «*, //)] 


Now, if A, B, C, D denotes the linearization at (x*, u*, p*) of (1) with output z so that 


J = 


A B 
C 0 


( 4 ) 


Then we have the following theorem for a static bifurcation point. 

Theorem 4.2 ^ An equilibrium point (z*,w*,/i*) is a static bifurcation point only if 

Im (c z)* Rn+r ( 5 ) 

Recall that the system matrix is 

From this observation, necessary conditions for a static bifurcation point can be obtained as follows: 5 
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Theorem 4.3 The equilibrium point (a?*, u*, //*) as a static bifurcation point of (1) only if one of the following 
conditions is true for its linearization: 

1. there is a transmission zero at the origin , 

2. there is an uncontrollable mode with zero eigenvalue, 

3. there is an unobservable mode with zero eigenvalue, 

4- it has insufficient independent controls, 

5. it has redundant regulated variables. 

The key implication of this theorem is that the ability to locally regulate the system diminishes as the 
bifurcation point is approached. 6,37 In fact a linear regulator (indeed a smooth feedback regulator) does 
not exist at the bifurcation point. 4 At the bifurcation point an arbitrarily small perturbation of parameters 
changes the zero structure of the system thereby requiring a fundamental change in the controller. 6 The 
point we wish to emphasize is that losing the capacity to regulate nonlinear flight dynamics is intimately 
connected to the bifurcation structure of the trim equations of the aircraft. Thus, at least some forms of 
LOC can be rigorously connected to the flight dynamics. This argument is also made very strongly in. 33 

B. Uncontrolled departures near stall: GTM example 

In this section our goal is to illustrate departures from controlled 
flight near stall bifurcation points. 

We describe simulated GTM departures from a coordinated turn 
at various speeds near the stall speed. In each case the aircraft is 
trimmed very near a coordinated turn equilibrium condition. The 
controls are then fixed and the resultant trajectories are observed. 

Below we show results for three speeds - 90 ft/sec, 87 ft/sec, and 85 
ft/sec. The last being very close to the stall speed. See Figure .1. 

The equilibrium surface was generated as a function of airspeed us- 
ing a continuation method as described in. 38 One projection of this 
surface is shown in Figure .1 which shows elevator deflection S e as a 
function of speed, the parameter V. The points selected for simula- 
tion are identified in the figure. 

Figures .2 and .3 on the next page present a snapshot of the re- 
sults. The former show the ground tracks and the latter display the 
aircraft attitude in terms of the Euler angles. 



V, ft/sec 

Figure .1. A portion of the coordi- 
nated turn equilibrium surface shows 
elevator deflection as a function of 
speed. 





(a) 90 ft/sec (b) 87 ft/sec (c) 85 ft/sec 


Figure .2. Coordinated turn ground track, (a) at 90 ft/sec the the aircraft stabilizes in a coordinated turn, 
(b) at 87 ft/sec, closer to the stall speed, the aircraft departs from the coordinated turn and enters a periodic 
motion much like an extremely exaggerated Dutch roll, (c) at 85 ft /sec, approximately stall speed, the aircraft 
departs to an erratic motion, possibly chaotic. 
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At 90 ft /sec the aircraft cleanly enters the coordinated turn. At 87 ft /sec, closer to stall speed, it departs 
from trim and within 20 seconds enters a well-formed, slowly descending, periodic motion with rather violent 
swings in attitude, particularly roll. At stall speed, 85 ft /sec, the vehicle departs from trim and enters a 
steeply descending, apparently chaotic motion with increasingly violent attitude swings. The simulation 
model utilizes a quaternion representation of attitude from which the Euler angles are computed. These are 
displayed in Figure .3. 



Figure .3. Coordinated turn attitude, (a) at 90 ft /sec the attitude stabilizes as expected, (b) at 87 ft/sec 
the aircraft enters a periodic trajectory, (c) at 85 ft/sec, approximately stall speed, the aircraft departs to an 
erratic motion. 


As described in , 3 the angle of attack versus sideslip angle plot, i.e., the Adverse Aerodynamics Envelope, 
is a useful indicator of LOC. The simulation results are shown in Figure .4. We see the well contained data set 
for 90 ft /sec, and even for 87 ft/sec. However, the stall departure case, 85 ft /sec, suggests a serious control 
problem although this trajectory is obtained with fixed controls. This is consistent with the observations in 
Section A. 



M<Ng) 



(a) 90 ft/sec 


(b) 87 ft/sec 


(c) 85 ft/sec 


Figure .4. The adverse aerodynamics plot of the simulated trajectories suggests a serious control problem for 
the stall departure case (c). 


C. Control properties around the bifurcation point: GTM example 

In accordance with Theorem 4.3 we anticipate some degeneracy in the linear system zero dynamics at the 
bifurcation point. To illustrate this we again consider the GTM, this time in a straight, wings level climb 
with flight path angle of 0.1 rad (5.7 deg). The equilibrium points are plotted as a function of speed in 
Figure .5. We first compute a parameter dependent family of linear systems (LPV model) using the method 
described in Ref 39. We construct a two-parameter family, the parameters being speed, V, and flight path 
angle, 7 . The equilibrium surface approximation (and hence the LPV model) is third order in the parameters 
and generated at the bifurcation point shown in Figure .5 (a). The ‘other 5 equilibria, shown in Figure .5 (b) 
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are obtained from the approximation and displayed in the figure with the true equilibrium curve. Analysis 




V, ft/sec V, ft/sec 

(a) Bifurcation point. (b) Other equilibria. 


Figure .5. The equilibrium curve is shown for straight, wings level climb with speed as the parameter. The stall 
point is indicated in (a) . A two parameter LP V model is derived around the bifurcation point with parameters 
speed and flight path angle. This involves deriving a polynomial approximation to the equilibrium surface 
around the bifurcation point (see 39 ). In (b) several points are computed from the approximating surface are 
compared to the actual surface. 

shows that the LPV system is uncontrollable at the bifurcation, but controllable at points arbitrarily near the 
bifurcation point. Furthermore, controllability degrades as the bifurcation point is approached. To see this 
we evaluate the controllability matrix at selected equilibrium points and compute its minimum singular value 
at each of the points shown in Figure .5. The results are shown in Table 1, with the bifurcation point shown 
in bold typeface. As explained in , 39 parameterization of the equilibrium manifold around singular points 
requires replacement of the physical parameters by suitable coordinates on the manifold. The variables s i, s 2 
in Table 1 denote the coordinates used herein. Fixing s 2 = 0 and varying s i produces a slice through the 
surface corresponding to fixed 7 and varying V. 


Table 1. Degree of Controllability 


Si 

S2 

y 

<5e 

®min 

0.010000 

0.00 

83.7759 

-16.4569 

0.00186924 

0.005000 

0.00 

83.3882 

-18.3686 

0.00098419 

0.001000 

0.00 

83.2658 

-20.1175 

0.00022455 

- 0.000104 

0.00 

83.2599 

- 20.6466 

0.00000000 

-0.000500 

0.00 

83.2607 

-20.8418 

0.00008107 

-0.006500 

0.00 

83.4491 

-24.2201 

0.00153969 

- 0.010000 

0.00 

83.7040 

-26.6229 

0.00276331 


We note that even though the system fails to be linearly controllable at the bifurcation point it is locally 
(nonlinear ly) controllable in the sense that the controllability distribution has full generic rank around the 
bifurcation point. The implication is that any stabilizing feedback controller would certainly be nonlinear 
and probably nonsmooth. 
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D. Remarks on recovery from stall 

The GTM appears to be remarkably stable. In the coordinated turn illustrated above, the stall speed is 
about 85 ft/sec. With the controls fixed at their stall equilibrium values the aircraft enters a spin and dives. 
After several seconds into the spin we reset the controls to their stable 90 ft/sec values. Figure .6 shows the 
recovery when the controls are reset after 10 seconds. This was intended as an experiment to determine if 
the vehicle dynamics would permit recovery. No assessment was made as to whether this is an acceptable 
strategy. In particular we did not evaluate structural integrity although it appears that peak acceleration 
is less than 2 g’s. The vehicle drops about 1400 feet. It is worth noting that the simulations show that 



Figure .6. Coordinated turn recovery from stall. The vehicle stalls at about 85 ft/sec during a coordinated 
turn. After 10 seconds the controls are reset to the 90 ft/sec values, (a) The speed peaks at about 215 ft/sec 
13 sec after stall before stabilizing at 90 ft/sec. (b) The ground track follows the pattern of Figure .2 until the 
controls are reset. Then it stabilizes into the turn, (c) The aircraft drops about 1400 ft. during the recovery. 

recovery can take place even further into the spin. Of course, with significantly greater loss of altitude. 


V. Constrained Dynamics 

The safe operation of an aircraft requires that certain key variables remain within specified limits. Com- 
plicating this is the fact that aircraft are continuously subjected to disturbances and the control responses 
are also strictly constrained by actuator limits. The control of systems with state and control constraints is 
a fundamental problem in control theory that has a substantial literature going back decades, e.g. 40,41 In 
the following paragraphs we consider how some of this work contributes to our understanding of LOC. 

A. Control with state and control constraints 

All commercial aircraft are required to respect specified flight envelope restrictions. For example in normal 
(unimpaired) flight a typical aircraft will have: load factor limitations and also attitude (pitch and roll) and 
speed limitations. Indeed most aircraft employ envelope protection controllers. The protective actions taken 
can range from reshaping pilot commands to taking over control until the aircraft is restored to within the 
desired envelope. These systems present transition issues just like any other switching system. While there is 
no comprehensive theory of envelope protection, it has been addressed in the literature, for example. 14,15 ’ 42 
An important factor in these controllers is that the control responses are limited. For example, control 
surfaces have a restricted range of motion and are limited in the control forces that can be generated by 
them. 

Consider a controlled dynamical system 

x = f (x, u ) , x e R n , u eU c R m (6) 

where the set U is closed, bounded and convex. Also, suppose the desired envelope is a convex, not nec- 
essarily bounded, subset C of the state space R n . Feuer and Heyman 41 study the general control problem 
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of interest to us. Specifically, under what conditions does there exist for each i 0 eCa control u (t) C U 
and a corresponding unique solution x (t;x Q ,u) that remains in C for allt > 0? While some basic results 
are provided in, 41 the general case is unresolved. Concrete results have subsequently been obtained for 
special cases. Especially for linear dynamics with polyhedral constraint sets. 8, 9,17 “ 20, 40,43 In the following 
paragraphs we apply some of the more recent results. 

B. The safe set 

There are two fundamental issues that need to be addressed: Is it possible to remain within a specified 
subset of the state space?, and, If so, what control actions are required to insure the aircraft remains within 
it? These questions have been raised in the literature, for example. 8,9,43 
Furthermore, suppose that C is defined by 

C = {xeR n \l(x) >0} (7) 

where l : R n — ► R is continuous. The boundary of C is the zero level set of Z, i.e., dC = {x £ R n \ l (z) = 0}. 
The safe set is defined as the largest positively control-invariant set contained in C. Several investigators have 
considered the computation of the safe set, the most compelling of which involve solving the Hamilton- Jacobi 
equation. We describe one of several variants; this one due to Lygeros. 9 

Suppose that we are concerned with the operation of the system (6) over a time interval [0, T\ for some 
fixed terminal time 0 < T < oo. The safe set is defined for each t G [0,T] as the set of points x for which 
there exists at least one control u on the interval [i, T] such that the trajectory emanating from x remains 
in C until the terminal time: 

<S (£, C) = {x £ R n 1 3u (r) C Z7, Vr e [£, T ] : cf)(r;x (t ) , u (t)) C C } (8) 

The main result in [9] is the following. Suppose V (x, t) is a viscosity (or, weak) solution of the terminal 
value problem 

dV ( dV 1 

— +min|0, sup — f{x,u)\ = 0, V{x,T)=l{x) (9) 

then 

<S (t, C) = {x e R n \V (x 9 1) > 0 } (10) 

The function V ( x , t ) is in fact the ’cost-to-go’ associated with an optimal control problem in which the goal 
is to choose u (£) so as to maximize the minimum value of l (x { t )). The function V (x,t) inherits some nice 
properties from this fact. For instance it is bounded and uniformly continuous. Define the Hamiltonian 

H (p,x) = min < 0, supp T / (x, u) > (11) 

l ueu ) 

dV ( dV \ 

+ J=0, V(x,T) = l(x) (12) 

V (x,t) is the unique, bounded and uniformly continuous solution of (9) or (12). Notice that the control 
obtained in computing the Hamiltonian (11) insures that when applied to each state along any trajectory 
initially inside of <S the resulting trajectory will remain in <S. It follows that this control should be applied 
for states on its boundary to insure that the trajectory does not leave S. 

The envelope defined by (7) can be generalized to an envelope with piecewise continuous boundary. For 
example, suppose the envelope is defined by 

C = {x e R n \h (x) > 0,i = 1, ■ • • , K} (13) 

Where each of the li (x) are continuous functions. Then we need to solve K problems with 

Cj = {x e R n \lj {x) > 0} , j = 1, . . . , K 

to obtain the largest control invariant set in each Cj and then take their intersection. There are many physical 
problems in which the tracking of moving boundaries separating to regions of space are important. So it is 
not surprising that the numerical computation of propagating surfaces is a mature field. The most powerful 
methods exploit the connection with the Hamilton- Jacobi equation and associated conservation laws; see the 
survey [44]. 
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C. Computing the safe set: the GTM example 

The longitudinal dynamics of a rigid aircraft can be written in path coordinates: 

0 = q 

x = V cos 7 

z = V sin7 

V = i (Tcosa- \pV 2 SC D (a,S e ,q) -mg sin 7) (14) 

7 = ( T sin a + IpV^SCl (a, S e ,q) - mg cos 7) 

q = 7^, M = (5 pV 2 ScC m ( a,S e ,q ) + \pV 2 ScC z (a,6 e ,q) ( x cgre f - x cg ) - mgx cg +l t T ) 
a = 6 — 7 

A classic analysis problem of aeronautics was introduced by Lanchester 45 over one hundred years ago - the 
long period phugoid motion of an aircraft in longitudinal flight. The phugoid motion is a roughly constant 
angle of attack behavior involving an oscillatory pitching motion with out of phase variation of altitude and 
speed. The ability to stabilize the phugoid motion using the elevator or thrust is important. The inability 
to do so has been linked to a number of fatal airline accidents including Japan Airlines Flight 123 in 1985 
and United Airlines Flight 232 in 1989. 46 

We will illustrate the safe set computations by examining the controlled phugoid dynamics of the GTM. 
The problem is similar to one considered in [9,43] The key assumption is that pitch rate rapidly approaches 
zero so that the the phugoid motion is characterized by q = 0. Thus, we must have 

M = (\pV 2 ScC m (a,S e ,q) + \pV 2 ScC z {a,6 e ,q) {x cgref - x cg ) - mgx cg +l t T) =0 (15) 

From (15) we obtain a quasi-static approximation for the angle of attack 

a = a(V, T, S e ) (16) 

so that the V — 7 equations in (14) decouple from the remaining equations. Thus, we have a closed system 
of two differential equations that define the phugoid dynamics: 

V = i (TcoscE- \pV 2 SC D (a,5 e ,0) - mg sin 7) 

7 = ( T sin ® + \pV 2 SC L (S, S e: 0) - mg cos 7) 

We specify an operating envelope 

C = {(U, 7) |90 < V < 240, -22 < 7 < 22 } 


and control restraint set 

U = {(T,6 e ) |0 < T < 30,-40 < S e < 20} 

Figure .7 shows the safe set, <S. The points in C\S produce trajectories that exit the envelope. The difficulty 
is that at these low speeds it is not possible to generate enough lift to prevent the aircraft from descending 
along an unacceptable flight path angle. The trajectory illustrated has maximum thrust and maximum 
elevator deflection. These are the controls that maximize 7. Yet the flight path angle 7 drops below the 
minimum threshold thereby the trajectory departs the envelope C. 

VI. Conclusions 

In this paper we give new insights into LOC based on the control analysis of the flight dynamics. We 
show how the controllability properties of the aircraft diminish near critical points of the trim equations 
- i.e., stall. Our results show that when operating near stall control properties can change fundamentally 
with small changes in the aircraft state. Thus a small disturbance can cause a dramatic change in how an 
aircraft responds to pilot inputs. The analysis is applied to the GTM model in a nominal configuration. The 
method can be easily applied to systems in non-normal situations, especially those that can be modeled with 
parameter variation, such as aft center of mass 4 or icing. Preliminary results suggest that an unimpaired 
GTM-like aircraft may be recoverable from post stall departures with relatively simple strategies. 
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V, ft/sec 


Figure .7. The original envelope is the shaded region. The safe set is the region enclosed within the black 
boundary. Trajectories beginning in the excluded region, i.e., the lower left corner of the envelope, escape the 
envelope by crossing its lower boundary even with the most propitious controls. 


Departure from the prescribed flight envelope is one aspect of LOC. We consider safe set analysis which 
is an important first step in addressing envelope protection. Roughly speaking the safe set is the largest 
set within a prescribed envelope that can be made positively invariant. In general, the safe set is smaller 
than the envelope and it is therefore necessary to apply protection to the safe set boundaries. We give an 
illustration of safe set computation using the GTM phugoid dynamics. 
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